http://2015.brucon.org/index.php?title=Special:NewPages&feed=atom&hideredirs=1&limit=50&offset=&namespace=0&username=&tagfilter=BruCON 2015 - New pages [en]2024-03-28T16:23:51ZFrom BruCON 2015MediaWiki 1.27.4http://2015.brucon.org/index.php/Hacker_RunHacker Run2015-10-03T03:28:29Z<p>Seba: /* Hacker Run */</p>
<hr />
<div>=Hacker Run=<br />
<br />
What better way is there to start the second conference day than running 10km with a bunch of hackers? <br />
<br />
Put on your running shoes and join us at the entrance of the Novotel (workshop venue) on Friday at 7:30. <br />
<br />
We’ll be back in time to freshen up and attend the first presentation of the day. <br />
<br />
Word is that it’s also a good way to get rid of a hangover!<br />
<br />
Add this to your schedule [http://sched.brucon.org/event/06b820a89badbd823c02952bc53f2665#.Vg9LpxNCrdQ here]</div>Sebahttp://2015.brucon.org/index.php/Training_2015_-_Offensive_IoT_ExploitationTraining 2015 - Offensive IoT Exploitation2015-05-26T09:40:05Z<p>Tom.Gilis: /* Trainer Biography */</p>
<hr />
<div>=Offensive IoT Exploitation=<br />
<br />
==Objectives==<br />
IoT or the Internet of Things is one of the most upcoming trends in technology as of now. A lot many new devices are coming up every single month. However, not much attention has been paid to the device's security till now. "Offensive IoT Exploitation" is a brand new and unique course which offers pentesters the ability to assess the security of these smart devices. The training will cover assessing IoT attack surfaces and finding security issues. The course will be hands-on giving attendees the ability to try things themselves rather than just watching the slides. We will start from the very beginning discussing about the architecture of IoT devices, and then slowly moving to firmware analysis, identifying attack surface and finding/exploiting vulnerabilities. <br />
The course labs include both emulated environments as well as real live devices which will be provided to the attendees during the training for the hands-on labs. Offensive IoT Exploitation training is designed for pentesters who want to kickstart their career in IoT Pentesting and the training does not expect the attendees to have a prior knowledge of assembly, mobile security or reversing.<br />
<br />
=Course Content=<br />
* Introduction to IOT<br />
* IOT Architecture<br />
* Identify attack surfaces<br />
* Mobile App security and analysis<br />
* Specific Web and Mobile based vulnerabilities<br />
* ARM Architecture and assembly<br />
* ARM Reversing<br />
* Device scanning<br />
* Firmware analysis and reversing<br />
* Modifying and creating custom firmware<br />
* Simulating real environments<br />
<br />
==What to expect==<br />
* Hands-on Labs<br />
* Reversing binaries and apps<br />
* Getting familiar with the IoT security<br />
* This course will give you a direction to start performing pentests on IoT devices<br />
<br />
==What not to expect==<br />
Becoming a hardware/IoT hacker overnight. Use the knowledge gained in the training to start pentesting IoT devices and sharpen your skills<br />
<br />
=Who Should Take this Course=<br />
* Pentesters/security professional<br />
* Embedded security enthusiast<br />
* Anyone interested to learn IoT pentesting<br />
<br />
= Requirements = <br />
* Basic knowledge of web and mobile security<br />
* Basic knowledge of Linux OS<br />
<br />
== Software and hardware requirements ==<br />
* Laptop with at least 25 GB free space<br />
* 2 GB minimum RAM<br />
* External USB access<br />
* Administrative privileges on the system<br />
* Virtualization software – VirtualBox/Vmplayer<br />
<br />
== Provided at the course ==<br />
* IoT devices will be provided during the class for Labs<br />
* Custom VM<br />
* Slides<br />
<br />
=Trainer Biography=<br />
[[File:Aditya_Gupta.jpg|thumb|125px]]<br />
Aditya Gupta (@adi1391) is the founder and trainer of Attify, a mobile security firm, and leading mobile security expert and evangelist. Apart from being the lead developer and co-creator of Android framework for exploitation, he has done a lot of in-depth research on the security of mobile and hardware devices, including Android, iOS, and Blackberry, as well as BYOD Enterprise Security. He is also the author of the popular Android security book "Learning Pentesting for Android" selling over 5000+ copies, since the time of launch in March 2014. He has also discovered serious web application security flaws in websites such as Google, Facebook, PayPal, Apple, Microsoft, Adobe, Skype, and many more. He has also published a research paper on ARM Exploitation titled "A Short Guide on ARM Exploitation." In his previous work at ediff.com, his main responsibilities were to look after web application security and lead security automation. He also developed several internal security tools for the organization to handle the security issues. He has also previously spoken and trained at numerous international security conferences including Black Hat, Syscan, OWASP AppSec, Toorcon, Clubhack, Nullcon etc, along with many other<br />
corporate trainings on Mobile Security<br />
<br />
<br>[[Image:300px-twitter-icon.jpg|17px]] [https://twitter.com/adi1391 @adi1391]<br />
<br />
[[File:Aseem_Jakhar.jpg|thumb|125px]]<br />
Aseem Jakhar is the Director, research at Payatu Technologies Pvt Ltd payatu.com a boutique security testing company. He is well known in the hacking and security community as the founder of null -The open security community, registered not-for-profit organization http://null.co.in and also the founder of nullcon security conference nullcon.net. He has extensive experience in system programming, security research, consulting and managing security software development projects. He has worked on various security software including UTM appliances, messaging/security appliances, anti-spam engine, anti-virus software, multicast packet reflector, Transparent HTTPS proxy with captive portal, bayesian spam filter to name a few. He is an active speaker at security and open source conferences; some of the conferences he has spoken at include AusCERT, Defcon, Hack.lu, Black Hat, PHDays, Xcon, Cyber security summit - Bangalore, Cocon, OSI Days - Bangalore, Clubhack, Gnunify. His research includes Linux remote thread injection, automated web application detection and dynamic web filter. He is the author of open source Linux thread injection kit -Jugaad and Indroid which demonstrate a stealthy in-memory malware infection technique.<br />
<br />
<br />
''Mon. 5 - 7 October 2015 (09:00 - 17:00)''<br />
<br />
[[File:Register.jpg||link=https://registration.brucon.org/training-registration/]]<br />
<br />
[[Training|Back to Training Overview]]</div>Tom.Gilishttp://2015.brucon.org/index.php/Training_2015_-_Assessing_and_Exploiting_Control_SystemsTraining 2015 - Assessing and Exploiting Control Systems2015-05-15T13:02:05Z<p>Tom.Gilis: /* Trainer Biography */</p>
<hr />
<div>=Assessing and Exploiting Control Systems=<br />
<br />
This is not your traditional SCADA security course! How many courses send you home with your own PLC and a set of hardware/RF hacking tools?!? This course teaches hands-on penetration testing techniques used to test individual components of a control system, including embedded electronic field devices, network protocols, RF communications, and master servers. Skill learned apply directly to systems such as the Smart Grid, PLCs, RTUs, smart meters, building management, manufacturing, Home Area Networks (HAN), smart appliances, SCADA, substation automation, and synchrophasors. This course is structured around the formal penetration testing methodology created by UtiliSec for the United States Department of Energy. Using this methodology and SamuraiSTFU (Security Testing Framework for Utilities), an open source Linux distribution for pentesting energy sector systems and other critical infrastructure, we'll perform hands-‐on penetration testing tasks on user interfaces (on master servers and field device maintenance interfaces), control system protocols (modbus, DNP3, IEC 60870-‐5-‐104), RF communications (433MHz, 869MHz, 915MHz), and embedded circuit attacks (memory dumping, bus snooping, JTAG, and firmware analysis). We’ll tie these techniques and exercises back to control system devices that can be tested using these techniques. The course exercises will be performed on a mixture of real world and simulated devices to give students the most realistic experience as possible in a portable classroom setting. <br />
<br />
Advances in modern control systems such as the energy sector’s “Smart Grid” brings great benefits for asset owners/operators and customers alike, however these benefits come at a cost from a security perspective. With increased functionality and addition inter-‐system communication, modern control systems bring a greater risk of compromise that both asset owners/operators and customers must accept to realize the desired benefits. To minimize this risk, penetration testing in conjunction with other security assessment types must be performed to minimize vulnerabilities before attackers can exploit critical infrastructures that exist in all countries around the world.<br />
<br />
==Objectives==<br />
*Attendees will be able to explain the steps and methodology used in performing penetration tests on <br />
Industrial Control and Smart Grid systems. <br />
* Attendees will be able to use the free and open source tools in SamuraiSTFU to discover and identify <br />
vulnerabilities in web applications. <br />
* Attendees will be able to exploit several hardware, network, user interface, and server-‐side <br />
vulnerabilities<br />
<br />
=Course Content=<br />
<br />
==Introduction to the NESCOR methodology for penetration testing==<br />
* Preparing for a penetration test <br />
* Architecture reviews <br />
* Pentesting the master servers <br />
* Pentesting the user interfaces <br />
* Pentesting the network communications <br />
* Pentesting the embedded field devices <br />
* End-‐to-‐end assessment <br />
* Reporting <br />
<br />
==Introduction to SamuraiSTFU (Security Testing Framework for Utilities)==<br />
* Setting up the virtual machine <br />
* Walk through the tools and functionality <br />
* Introduction to the student hardware kits <br />
<br />
==Performing traditional network pentests on control systems ==<br />
* Overview of a traditional network penetration test methodology <br />
* Dangers of port and vulnerability scanning <br />
* Strategies to perform port and vulnerability scanning <br />
<br />
==Types of ICS user interfaces ==<br />
* Traditional applications <br />
* Web applications <br />
* Terminal interfaces <br />
<br />
==Pentesting Different Communication Layers ==<br />
* Testing of communication mediums vs communication protocols <br />
* Where security defenses should be place …… and tested <br />
<br />
==Serial communications ==<br />
* RS-485 and RS-232 <br />
* Modbus RTU <br />
* 16-bit unsigned registers and single bit coils <br />
<br />
==Pentesting RF communications between master servers and field devices ==<br />
* Hands-on RF spectrum analysis and signal capture <br />
* Spread Spectrum types and strategies <br />
* Hands-on signal demodulation with GNU Radio <br />
* Hands-on network traffic extraction <br />
* Traffic transmission and exploitation <br />
<br />
==Pentesting TCP/IP based ICS protocols ==<br />
* Protocol capture and analysis <br />
* modbus, DNP3, IEC 61850, ICCP, ZigBee, C37.118, and C12.22 <br />
* Dealing with unknown protocols <br />
* Hands-on entropy analysis of network payloads <br />
* Reverse engineering unknown protocols <br />
* Hands-on ICS protocol fuzzing <br />
<br />
==Pentesting technician interfaces on ICS field and floor devices ==<br />
* Functional analysis of field technician interfaces <br />
* Hands-on exercise capturing USB communications to tech interfaces <br />
* Hands-on exercise analyzing captured USB communications <br />
* Impersonating endpoints in field tech interface communications <br />
* Hands-on exercises fuzzing AMI Smart Meter c12.18 optical interfaces <br />
* Exploiting vulnerabilities found during analysis <br />
<br />
==Analyzing field and floor device firmware ==<br />
* Obtaining field and floor device firmware <br />
* Hands-on exercise disassembling firmware <br />
* Hands-on exercise analyzing disassembled firmware <br />
* Exploiting firmware flaws <br />
<br />
==Overview of pentesting field and floor device embedded circuits ==<br />
* Local attack through physically exposed devices <br />
* Expanding physical attacks to remote attacks <br />
* Cryptographic keys and firmware <br />
<br />
==Analysis of embedded electronics in ICS field and floor devices ==<br />
* Discussion of device disassembly <br />
* Component analysis on embedded circuits <br />
* Datasheet acquisition and analysis for target components <br />
<br />
==Dumping data at rest on embedded circuits ==<br />
* Using the Bus Pirate and other similar tools <br />
* Overview of I2C or two-wire serial protocol <br />
* Hands-on exercise dumping I2C EEPROMs <br />
* Overview of SPI serial protocol <br />
* Hands-on exercise dumping SPI EEPROMs <br />
* Overview of JTAG <br />
* Hands-on exercise interfacing with JTAG <br />
<br />
==Bus Snooping on embedded circuits ==<br />
* Overview of bus snooping <br />
* Hands-on exercise snooping busses <br />
<br />
==Analyzing data obtained from data dumping and bus snooping ==<br />
* Hands-on exercise doing string analysis of datasets <br />
* Hands-on exercise doing entropy analysis of datasets <br />
* Hands-on exercise doing systematic key searches through datasets <br />
* Hands-on exercise doing file carving from datasets<br />
<br />
= Requirements = <br />
Basic penetration testing experience is desirable, but not required. It is assumed that attendees will have no knowledge of ICS, Smart Grid, SCADA, or critical infrastructure. This course is designed for intermediate level security professionals, be they engineers, technicians, analysts, managers, or penetration testers.<br />
<br />
== Recommended read ==<br />
For those with little or no ICS experience, these Wikipedia articles provide a brief introduction to the concepts and history of control systems that will be helpful to know for class. <br />
* http://en.wikipedia.org/wiki/ICS <br />
* http://en.wikipedia.org/wiki/SCADA <br />
* http://en.wikipedia.org/wiki/Distributed_control_system <br />
* http://en.wikipedia.org/wiki/Smart_grid <br />
<br />
http://nostarch.com/xboxfree - While this has nothing to do with control systems, it provides a great introduction to the concepts and techniques taught in this class to pentest embedded electronic hardware in ICS field/floor devices. <br />
<br />
http://csrc.nist.gov/publications/nistir/ir7628/nistir-‐7628_vol3.pdf -‐ Chapter 7 of the NIST interagency <br />
Report 7628, titled Bottom-‐up Security Analysis of the Smart Grid, provides a great overview of the challenges faced in Smart Grid and energy sector systems, many of which we are testing for and exploiting in this class.<br />
<br />
== Software and hardware requirements ==<br />
* Laptop with at least two USB ports (three ports preferred). If only two USB ports exist on the Laptop and they are right next to each other (such as found on a Macbook Air), a USB extension cable must be brought as well <br />
* Latest VMware Player, VMware Workstation, VWware Fusion installed. Other virtualization software such as Parallels or VirtualBox may work if the attendee is familiar with its functionality, however VMware Player should be prepared as a backup just in case <br />
* Access to an account with administrative permissions and the ability to disable all security software on their laptop such as Antivirus and/or firewalls if needed for the class <br />
* A DVD drive to copy the course files <br />
* At least thirty (30) GB of free hard drive space <br />
* At least four (4) GB of RAM, optimally eight (8) GB of RAM<br />
<br />
== Provided at the course ==<br />
* Latest version of SamuraiSTFU (Security Testing Framework for Utilities) <br />
* PDF version of the course slide deck<br />
* Student hardware/RF pentest kits to use in class and take home<br />
<br />
=Trainer Biography=<br />
[[File:Searle_snapshot.jpg|thumb|125px]]<br />
Justin Searle, the author of the course, will replace Don C. Weber as trainer for this course.<br />
<br />
Justin Searle is a Managing Partner of UtiliSec, specializing in Smart Grid security architecture design and penetration testing. Justin led the Smart Grid Security Architecture group in the creation of NIST Interagency Report 7628 and has played key roles in the Advanced Security Acceleration Project for the Smart Grid (ASAP-SG), National Electric Sector Cybersecurity Organization Resources (NESCOR), and Smart Grid Interoperability Panel (SGIP). Justin has taught courses in hacking techniques, forensics, networking, and intrusion detection for multiple universities, corporations, and security conferences.<br />
<br />
Mr. Searle is currently a certified instructor for the SANS Institute. In addition to electric power industry conferences, Justin frequently presents at top international security conferences such as Black Hat, DEFCON, OWASP, Nullcon, and AusCERT. Justin co-leads prominent open source projects including the Samurai Web Testing Framework (SamuraiWTF), the Samurai Security Testing Framework for Utilities (SamuraiSTFU), Yokoso!, and Laudanum. Justin has an MBA in International Technology and is a CISSP and SANS GIAC certified Incident Handler (GCIH), Intrusion Analyst (GCIA), and Web Application Penetration Tester (GWAPT).<br />
<br />
More information on his security [http://www.meeas.com/ blog].<br />
<br />
<br>[[Image:300px-twitter-icon.jpg|17px]] [https://twitter.com/meeas @meeas]<br />
<br>[http://www.utilisec.com http://www.utilisec.com]<br />
<br />
''Mon. 5 - 7 October 2015 (09:00 - 17:00)''<br />
<br />
[[File:Register.jpg||link=https://registration.brucon.org/training-registration/]]<br />
<br />
[[Training|Back to Training Overview]]</div>Tom.Gilishttp://2015.brucon.org/index.php/Training_2015_-_Cyber_Breach_ManagementTraining 2015 - Cyber Breach Management2015-04-28T19:47:51Z<p>Tom.Gilis: /* Trainer Biography */</p>
<hr />
<div>=Cyber Breach Management=<br />
<br />
===Course Description===<br />
The frequency, scope, and sophistication of attacks against computer networks is increasing daily. This course will teach students how to successfully manage the people, processes, and voluminous data required to successfully investigate and recover from a breach. All phases of the incident response process will be covered and hands-on exercises will provide tools for analyzing system artifacts as well as scrutinizing and communicating technical findings.<br />
<br />
=Course Contents=<br />
<br />
To be specified<br />
<br />
= Student requirements = <br />
The class is geared toward students with a background in digital forensics, computer networking or systems administration. Students should be familiar with common computing and networking terms and concepts such as file systems, RAM, DNS, active directory, IP addresses, firewalls, etc. Comfort with the Windows and Linux command line would also be beneficial.<br />
<br />
=Trainer Biography=<br />
[[File:Chris.Nutt.jpg|thumb|125px]]<br />
Chris Nutt is an expert in the field of incident response and digital forensics. He has more than 10 years of experience helping global organizations manage and conduct complex investigations into attacks targeting intellectual property and financial information. <br />
<br />
He is a recent addition to Kroll’s Cyber Security practice, but spent the prior seven years with Mandiant, where he helped develop their investigative methodologies, digital forensics techniques, and technologies.<br />
<br />
Chris has previously taught courses on incident response and digital forensics at venues including CounterMeasure, Black Hat USA, Abu Dhabi and Asia. He has also written numerous articles on incident response and information security, including his most recent, ”Payment Card Data Theft: Tips For Small Business" - Dark Reading, July 2014.<br />
<br />
[http://www.darkreading.com/attacks-breaches/payment-card-data-theft-tips-for-small-business/a/d-id/1297277? Payment Card Data Theft: Tips For Small Business by Chris Nutt]<br />
<br />
''Mon. 5 - 7 October 2015 (09:00 - 17:00)''<br />
<br />
[[File:Register.jpg||link=https://registration.brucon.org/training-registration/]]<br />
<br />
[[Training|Back to Training Overview]]</div>Tom.Gilishttp://2015.brucon.org/index.php/Spring_Training_2015_-_Tactical_Exploitation_and_ResponseSpring Training 2015 - Tactical Exploitation and Response2015-01-21T19:51:21Z<p>Tom.Gilis: /* Trainer Biography */</p>
<hr />
<div>=Tactical Exploitation and Response=<br />
<br />
===Course Description===<br />
This unique class offers a view into attacker and defender models in one single session. <br />
Tactical Exploitation and Response will dive into the mechanics used in real attacker scenarios. <br />
Students will learn how to attack systems using real world techniques vs penetration testing techniques. Using a combination of new tools and lesser-known techniques, attendees will learn how hackers compromise systems without depending on standard exploits.<br />
<br />
After learning techniques that will be successful in attacking any target students will turn to learning unique ways to defend and detect against these attacks. This section of the course introduces a tactical approach for instrumenting, alerting, and responding for enterprises. <br />
Real world attacks concentrate heavily on a number of methodologies including; compromising systems without depending upon standard exploits, Personal Security Product (PSP) evasion, unique stealth approaches, persistence mechanisms, and varying degrees of collection strategies. Attendees will learn how real attackers use these strategies and how to <br />
detect, alert, respond, and defend against these techniques.<br />
<br />
Topics Covered:<br />
* Real offensive mindsets, not penetration testing mindsets<br />
* How attacker recon isn't about processes and software<br />
* Using Windows against itself<br />
* Privilege Escalation without exploits<br />
* Evasion Techniques<br />
* Lateral movement options<br />
* Host logging and auditing<br />
* Leveraging active directory<br />
* Host and network indicator extraction for enterprise results<br />
* Proper response mechanisms and communication<br />
* PCAP and network intelligence extraction<br />
* Advanced host and file triage capabilities<br />
* Host command and process monitoring across a host<br />
<br />
=Course Contents=<br />
<br />
== Introduction ==<br />
* Class fundamentals<br />
* Incident Response/Exploitation Fundamentals and Methodologies<br />
* Attacker Methodologies and Mindsets <br />
<br />
== Host based Exploitation == <br />
* Web hacking techniques for Black Hats<br />
* Customizing exploits for weaponization<br />
* Shells through the web <br />
<br />
== Lateral Movement ==<br />
* Network Recon and how it is different from host<br />
* Working through networks<br />
* Uncommon lateral movement techniques<br />
* Abusing Single Sign On for lateral movement <br />
<br />
== Host Monitoring ==<br />
* Host monitoring and logging<br />
* Detecting ALL methods of logging on and off<br />
* Process Tracing/Tracking<br />
* Finding Maliciousness in processes<br />
* Windows Event Logs Concepts<br />
* Lateral Movement and Event Logs<br />
<br />
== Memory Analysis ==<br />
* Acquisitions and limitations<br />
* Intro to Volatility<br />
* Memory Analysis Basics<br />
* Memory Analysis Advanced<br />
* Poor Man's Memory Analysis<br />
<br />
== Network Logging Modules ==<br />
* DNS/Web logs and the basics<br />
* Detecting DNS Tunnels<br />
* Automating DNS logs<br />
* Normal Web Detection Techniques<br />
* Advanced Web Detection Techniques <br />
<br />
== Network Monitoring ==<br />
* Neflow and PCAP concepts<br />
* Finding suspicious traffic in network monitoring<br />
* Lateral Movement detection through network monitoring<br />
<br />
== Malware Analysis 101 ==<br />
* Lab Setup<br />
* Goals<br />
* File Artifacts and Analysis <br />
<br />
= Requirements = <br />
Students must have:<br />
* Familiarity with scripting languages such as Python/Perl/Ruby<br />
* A familiarity with Windows and Linux administration<br />
* Familiarity with the malware analysis and reverse engineering malware processes <br />
<br />
== Software and hardware requirements ==<br />
Student machines must be able to run at least 2 virtual machines utilizing VMware Workstation 8.0 and above (which can be obtained through a demo license). <br />
To run multiple machines usually means at least 4 gigs of memory is needed. <br />
Student laptops must be running either OSX, Linux, or Windows and must have the ability to disable all antivirus, sniff traffic, adjust firewalls, etc. <br />
Students are responsible for bringing a XP or Windows 7 VMware virtual machine that can be instrumented and infected with malware. <br />
<br />
=Trainer Biography=<br />
Due to a recent career change, Russ Gideon has been replaced with Colin Ames for this training. <br />
<br />
Colin Ames is one of the founding partners of Attack Research LLC a boutique security company in the United States. Colin has been working in the information technology field for 18 years for both Government and Private organizations, with the last decade being focused on computer and information security. Colin was a contributing member of Metasploit, and has spoken and trained many times at security conferences like Blackhat, Shakacon, Countermeasures, and Source Boston. Colin has done Reverse Engineering, Exploitation Development, Vulnerability Discovery, and Post Exploitation on Windows, OSX, Linux, and Unix operating systems, and has a special place in his heart for File Formats, especially Adobe's PDF. Colin is also on the selection committee for the Shakacon security conference. <br />
<br />
More information is available on [http://carnal0wnage.attackresearch.com/ carnal0wnage]<br />
<br />
''Mon. 5 - 7 October 2015 (09:00 - 17:00)''<br />
<br />
[[File:Register.jpg||link=https://registration.brucon.org/training-registration/]]<br />
<br />
[[Training|Back to Training Overview]]</div>Tom.Gilishttp://2015.brucon.org/index.php/Spring_Training_2015_-_Wireshark_WiFi_and_Lua-Packet_ClassSpring Training 2015 - Wireshark WiFi and Lua-Packet Class2015-01-21T19:16:27Z<p>Tom.Gilis: </p>
<hr />
<div>=Wireshark Wifi training=<br />
<br />
===Course Description===<br />
Wireshark is the number one network security tool according to SecTools.org top 125 Network Security Tools survey.<br />
But did you ever spend time to familiarize yourself with the many powerful features of this excellent security tool? If you did not, then now is your chance to learn as much as you can in this class and receive your complementary AirPcap adapter for Windows. The AirPcap adapter allows you to sniff WiFi traffic on Windows machines. You can keep this AirPcap adapter after the training.<br />
<br />
This training is for the novice and intermediate Wireshark user.<br />
<br />
* First, Didier will familiarize you with the user interface of Wireshark.<br />
* Then, we will touch upon the art of capturing traffic. You might think that you just need to install Wireshark on your machine to capture traffic, but that is just one way to do it. We will also look at ways to capture traffic at different points in the network, using network devices and dedicated hardware.<br />
* Learning about capture filters will help you control the size of your capture files on busy networks. Knowing capture filters is an important skill for security professionals. Capture filters are not only used by Wireshark, but many other (security) tools you will encounter in your career.<br />
* Colorizing traffic and using display filters (not to be confused with capture filters) are key in finding the interesting packets hiding in your capture files.<br />
* Your head will spin when you see all the build-in statistics. Wireshark comes with many statistical reports that help you drill down into your captures. Many of these statistical tools support display filters, allowing you to customize your reports. And when we say reports, we talk about graphics too: Wireshark can produce graphical representations of your network traffic. When you master this feature, you will be able to grasp aspects of your network traffic with the blink of an eye.<br />
* Data send over a network is split-up in several packets and can adopt many protocols. It can be a hard task figure out what all these packets mean. But Wireshark understands this and can reassemble these packets into streams so that you can view and extract the data you are interested in, so that you get an abstracted view and are no longer “lost in packets”.<br />
* We will also learn about Wireshark's expert system, an often overlooked feature that can save you many hours of peaking at packets.<br />
<br />
The AirPcap adapter allows you to capture WiFi traffic in monitor mode on Windows machines (normal WiFi adapters on Windows only support promiscuous mode). We will familiarize ourselves with the different options pof the AirPcap adapter. You will receive a couple of tools, for example to perform channel hopping with the AirPcap adapter. The AirPcap Classic USB adapter is a complementary device that is part of this training and becomes your property.<br />
<br />
Once we are familiar with Wireshark's many important features, we will look at all types of traffic. Regular day-to-day traffic like DNS, TCP/IP, HTTP, SMTP, WLAN, … but, of course, also the irregular traffic like network scans (nmap anyone?) and network discovery, and traffic from hacker tools and malware like botnets. Network forensics is an important skill to master, and Wireshark is an essential tool to help you master this skill.<br />
<br />
As an experienced Wireshark user, Didier has come to hit some limits of Wireshark, and has worked past these limitations using command-line tools like Tshark and specialized scripts. In this training, Didier will share with you how he has gone beyond “simple” Wireshark. For example, say that you have traffic captures worth a couple of Gigabytes. Just using Wireshark to look at this traffic becomes virtually impossible, unless you have an insanely specced-out machine that your boss will never give you. But using the right command-line tools, together with some specialized Python scripts, Didier will learn you how to take this hurdle.<br />
Wireshark can also be extended using the C and Lua programming languages. In this class, we will look into Lua taps and dissectors to help you analyze traffic that “pure” Wireshark does not understand. Wireshark dissectors are often designed to analyze a network protocol. Say you are reversing a botnet, then you can develop your own dissector that analyses the custom network protocol that the botnet uses to communicate between the C&C and the clients. But custom dissectors can help you even with known network protocols. For example, Didier will teach you the inner workings of a simple custom dissector he developed in Lua to analyze HTTP cookies. This simple dissector is very useful to filter-out traffic according to server sessions, like PHP or ASP sessions.<br />
<br />
In a nutshell, this packed training will teach you both simple and advanced Wireshark skills that are essential for security professionals and hackers.<br />
You do not need any prior exposure to Wireshark to attend this training, but a basic understanding of networking is required. Programming in Lua is not a required skill for this training, we will explain all you need to know about Lua in this training. But some basic scripting experience is useful, just not to feel overwhelmed when we discuss custom dissectors. If you know what an if-statement and a for-loop is, you will be fine.<br />
<br />
Key learning objectives<br />
<br />
* Get a thorough overview of Wireshark's features<br />
* Getting familiar with WiFi<br />
* Learn how to customize Wireshark<br />
* Learn how to script Wireshark<br />
<br />
<youtube>DfDsPVq-WQY</youtube><br />
<br />
= Course outline =<br />
=== Day 1 ===<br />
<br />
* Get familiar with the user interface of Wireshark<br />
* WiFi with AirPcap<br />
* The art of capturing traffic<br />
** capture traffic at different points in the network<br />
** using network devices to capture traffic<br />
** using dedicated hardware to capture traffic<br />
* Capture filters<br />
** Knowing capture filters is an important skill for security professionals. Capture filters are not only used by Wireshark, but many other (security) tools you will encounter in your career.<br />
* Display filters (not to be confused with capture filters)<br />
* Colorizing traffic <br />
* Build-in statistics <br />
** report<br />
** graphs<br />
** customize with display filters<br />
* Streams and data<br />
* Wireshark's expert system<br />
<br />
=== Day 2 === <br />
<br />
* Practical capture analysis<br />
** Regular day-to-day traffic<br />
*** DNS<br />
*** TCP/IP<br />
*** HTTP<br />
*** SMTP<br />
*** WLAN<br />
*** …<br />
** Irregular traffic<br />
*** network scans (nmap anyone?)<br />
*** network discovery<br />
*** traffic from hacker tools<br />
*** traffic from malware like botnets<br />
*** …<br />
** Network forensics<br />
* Scripting<br />
** Command-line scripting with Tshark, Python and Lua<br />
** Lua listeners<br />
** Lua dissectors<br />
*** Use a Lua dissector generator<br />
*** Refactor existing Lua dissectors<br />
*** New protocol dissectors<br />
*** Post dissectors<br />
<br />
= Requirements = <br />
A basic understanding of networking is required. Some basic scripting experience is useful, just not to feel overwhelmed when we discuss custom dissectors. If you know what an if-statement and a for-loop is, you will be fine.<br />
<br />
= Hardware/software Requirements =<br />
A Windows laptop with the latest version of Wireshark installed and with Python 2.7. Administrative rights are useful to install some Python modules. If you don't have administrative rights, make sure that you can perform a capture and run Lua scripts. If you are in doubt, make sure that you have administrative rights.<br />
Make sure that there is no security software running that could interfere with capturing.<br />
<br />
The AirPcap adapter only works for Windows. OSX and Linux machines don’t need this adapter, they can use the existing WiFi NIC in monitor mode. If you have no other option, you can bring an OSX or Linux machine to the class, but then you won’t be able to use the AirPcap adapter.<br />
<br />
=Trainers Biography=<br />
[[File:Didier_Stevens.png|thumb|125px]]<br />
Didier Stevens (Security Consultant, Didier Stevens Labs, Contraste Europe NV) is an IT security professional well known for his security and forensic tools, like the Network Appliance Forensic Toolkit (NAFT). Didier is an experienced Wireshark user, he started using it when it was still known as Ethereal.<br />
<br />
Didier holds many IT certifications, is a Microsoft MVP Security and SANS ISC Handler. Relevant to this training are his WCNA certification (Wireshark Certified Network Analyst) and CCNP/Security certification (Cisco Certified Networking Professional). You can find his tools on his security blog (see below)<br />
<br />
More information is available on Didier Stevens [http://blog.DidierStevens.com Blog]<br />
<br />
<br>[[Image:300px-twitter-icon.jpg|17px]] [https://twitter.com/DidierStevens @DidierStevens]<br />
<br />
Links : <br />
* [http://blog.DidierStevens.com Didier's Blog]<br />
* [http://didierstevens.com/ Didierstevens.com]<br />
* [http://blog.didierstevens.com/screencasts-videos/ Screencast and Video's]<br />
<br />
''Mon. 5 - 6 October 2015 (09:00 - 17:00)''<br />
<br />
[[File:Register.jpg||link=https://registration.brucon.org/training-registration/]]<br />
<br />
[[Training|Back to Training Overview]]</div>Tom.Gilishttp://2015.brucon.org/index.php/Spring_Training_2015_-_Hacking_web_applications_%E2%80%93_case_studies_of_award-winning_bugs_in_Google,_Yahoo,_Mozilla_and_moreSpring Training 2015 - Hacking web applications – case studies of award-winning bugs in Google, Yahoo, Mozilla and more2015-01-21T11:23:01Z<p>Tom.Gilis: /* Trainers Biography */</p>
<hr />
<div>=Hacking web applications – case studies of award-winning bugs in Google, Yahoo, Mozilla and more=<br />
<br />
===Course Description===<br />
Have you ever thought of hacking web applications for fun and profit? How about playing with authentic, award-winning security bugs identified in some of the greatest companies? If that sounds interesting, join this hands-on training!<br />
<br />
I will discuss security bugs that I have found together with Michał Bentkowski in a number of bug bounty programs (including Google, Yahoo, Mozilla, Twitter and others). You will learn how bug hunters think and how to hunt for security bugs effectively. <br />
<br />
To be successful in bug hunting, you need to go beyond automated scanners. If you are not afraid of going into detail and doing manual/semi-automated analysis, then this hands-on training is for you.<br />
<br />
After completing this training, you will have learned about:<br />
* tools/techniques for effective hacking of web applications<br />
* non-standard XSS, SQLi, CSRF<br />
* RCE via serialization/deserialization<br />
* bypassing password verification<br />
* remote cookie tampering<br />
* tricky user impersonation<br />
* serious information leaks<br />
* browser/environment dependent attacks<br />
* XXE attack<br />
* insecure cookie processing<br />
* session related vulnerabilities<br />
* mixed content vulnerability<br />
* SSL strip attack<br />
* path traversal<br />
* response splitting<br />
* bypassing authorization<br />
* file upload vulnerabilities<br />
* caching problems<br />
* clickjacking attacks<br />
* logical flaws<br />
* and more…<br />
<br />
If you want to know what students from Oracle, Adobe, ESET and other companies say about this<br />
training, then visit [https://silesiasecuritylab.com/services/training/#opinions this page] to learn more.<br />
<br />
Students will be handed in a VMware image with a specially prepared testing environment to play with the bugs. What's more, this environment is self-contained and when the training is over, students can take it home (after signing a non-disclosure agreement) to hack again at their own pace.<br />
<br />
= Requirements = <br />
To get the most of this training basic knowledge of web application security is needed. Students should have some experience in using a proxy, such as Burp, or similar, to analyze or modify the traffic.<br />
<br />
Students will need a laptop with 64-bit operating system, at least 4 GB RAM (8 GB preferred), 35 GB free hard drive space, USB and Ethernet ports, administrative access, ability to turn off AV/firewall and VMware Player installed (64-bit version).<br />
<br />
=Trainers Biography=<br />
[[File:Dawid_Czagan.jpeg|thumb|125px]] <br />
Dawid Czagan has found security vulnerabilities in Google, Yahoo, Mozilla, Microsoft, Twitter, BlackBerry and other companies. Due to the severity of many bugs, he received numerous awards for his findings. <br />
<br />
Dawid is founder and CEO at Silesia Security Lab, which delivers specialized security auditing and training services. He also works as Security Architect at Future Processing. <br />
<br />
Dawid shares his security bug hunting experience in his hands-on training "Hacking web applications - case studies of award-winning bugs in Google, Yahoo, Mozilla and more". He delivered security trainings/workshops at Hack In The Box (Amsterdam), CanSecWest (Vancouver), DeepSec (Vienna), Hack In Paris (Paris) and for many private companies. He also spoke at Security Seminar Series (University of Cambridge) and published over 20 security articles<br />
(InfoSec Institute).<br />
<br />
To find out about the latest in Dawid’s work, you are invited to visit his blog and follow him on Twitter (see below).<br />
<br />
<br>[[Image:300px-twitter-icon.jpg|17px]] [https://twitter.com/dawidczagan @dawidczagan]<br />
<br />
Links : <br />
* [https://silesiasecuritylab.com/blog Dawid's blog]<br />
* [https://silesiasecuritylab.com/services/training/#opinions What students say about this training]<br />
<br />
''Mon. 5 - 6 October 2015 (09:00 - 17:00)''<br />
<br />
[[File:Register.jpg||link=https://registration.brucon.org/training-registration/]]<br />
<br />
[[Training|Back to Training Overview]]</div>Tom.Gilishttp://2015.brucon.org/index.php/Spring_Training_2015_-_Red_Team_TestingSpring Training 2015 - Red Team Testing2015-01-12T19:07:46Z<p>Tom.Gilis: </p>
<hr />
<div>=Red Team Testing=<br />
<br />
Chris and Ian are both frequent speakers at large security conferences (see links below) and have contributed tremendously to the security world. Their combined experience can easily fill a two week training course and unfortunately we "only" have three days.<br />
<br />
===Course Description===<br />
This is is NOT a tools course! Becoming proficient in Red Teaming is NOT something that can be taught only in a classroom. We will have multiple field exercises as well as hands-on classroom sessions.<br />
<br />
This course will go over some of the tools and methods you MAY use in a Red Team assessment. Feel free to come up with your own styles.<br />
<br />
* You will learn the basics of how to profile attackers and use your imagination to become one.<br />
* Learn to act like a viable adversary of the target.<br />
* Learn to analyse the security processes and technologies that are in place.<br />
* Using what you observe, take advantage of what others have missed, to blend Electronic, Social and Physical security into a converged attack surface.<br />
<br />
= Requirements = <br />
Laptop with virtual machines running BackTrack and Windows (XP and above). Native OS can replace one of the VMs (i.e. a Windows OS hosting a Kali VM, or vice-versa).<br />
<br />
=Trainers Biography=<br />
<br />
== Ian Amit ==<br />
[[File:Ianamit.jpg|thumb|125px]]<br />
With over 15 years of experience in the information security industry, Ian Amit brings a mixture of Software development, OS, Network and web security to work on a daily basis. He is a frequent speaker at leading security conferences around the world (including Black Hat, DefCon, OWASP, InfoSecurity, etc...), and have published numerous articles and research material in leading print, online and broadcast media.Ian is currently serving as a Vice President at the Social Risk Management company ZeroFOX.<br />
<br />
Ian is one of the founders of the Penetration Testing Execution Standard (PTES), its counterpart – the SexyDefense initiative, and a core member of the DirtySecurity crew.<br />
<br />
Ian holds a Bachelor's degree in Computer Science and Business Administration from the Interdisciplinary Center at Herzlya.<br />
<br />
<br>[[Image:300px-twitter-icon.jpg|17px]] [https://twitter.com/iiamit @iiamit]<br />
<br />
== Chris Nickerson ==<br />
[[File:CNickerson.jpg|thumb|125px]]<br />
Chris Nickerson is a Certified Information Systems Security Professional (CISSP) whose main area of expertise is focused on information security and Social Engineering. In order to help companies better defend and protect their critical data and key information systems. He has created a blended methodology to assess, implement, and manage information security realistically and effectively.<br />
<br />
At Lares, Chris leads a team of security consultants who conduct Security Risk Assessments, which can cover everything from penetration testing and vulnerability assessments, to policy design, computer forensics, Social Engineering, Red Team Testing and regulatory compliance. Prior to starting Lares, Chris was Director of Security Services at Alternative Technology, a Sr. Auditor for SOX compliance at KPMG, Chief Security Architect at Sprint Corporate Security, and developed an enterprise security design as network engineer for an international law firm. Chris also served in the U.S Navy.<br />
<br />
Certified Information Systems Security Professional (CISSP)Certified Information Security Auditor (CISA)BS7799 Lead Auditor Accreditation (BS7799)NSA Infosec. Assessment Methodology (NSA IAM)Specialties: Vulnerability Assessment, Risk Assessment, Compliance, HIPAA,GLBA,PCI,SOX,17799/ 27001, Penetration Testing, Application Security Assessment, Physical Security, Social Engineering.<br />
<br />
Links : <br />
* [https://www.youtube.com/watch?v=HW9hH0vlPEM (Youtube) Hackers are like curious babies by Chris Nickerson (TEDxFultonStreet)]<br />
* [https://www.youtube.com/watch?v=hxXNYJ1RWrE (Youtube) Chris Nickerson Interview (Security Zone 2013)]<br />
* [https://www.youtube.com/channel/UCqBhgNfuAlmPf2juvVT4XJQ (Youtube) Ian Amit's Youtube channel]<br />
<br />
''Wed. 22 - 24 April 2015 (09:00 - 17:00)''<br />
<br />
[[File:Register.jpg||link=https://registration.brucon.org/training-registration/]]<br />
<br />
[[Training|Back to Training Overview]]</div>Tom.Gilishttp://2015.brucon.org/index.php/Spring_Training_2015_-_Practical_Malware_Analysis_-_Rapid_IntroductionSpring Training 2015 - Practical Malware Analysis - Rapid Introduction2015-01-09T14:44:49Z<p>Tom.Gilis: /* Trainer Biography */</p>
<hr />
<div>=Practical Malware Analysis: Rapid Introduction=<br />
<br />
One of BruCONs most popular trainings is back in 2015. The co-author of the book (Andrew Honig) will be hosting one of our most popular training tracks. Don't be surprised if you are offered a complimentary beer at the end of each training day.<br />
<br />
Students also get a free copy of Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software<br />
<br />
===Course Description===<br />
Get a rapid introduction to Malware Analysis and Reverse Engineering from the guy who wrote the book. This crash course will train students on how to triage and analyze malicious software. Students will get hands-on experience in the art of dissecting malicious code and gain necessary skills in order to perform analysis in the field. This class prepares you for the Advanced Malware Analysis training that will be offered this Fall at Brucon.<br />
<br />
Students will learn how to:<br />
* Get hands on experience analyzing backdoors, downloaders, keyloggers and spyware<br />
* Use key analysis tools like IDA Pro and OllyDbg<br />
* Analyze stealthy malware that hides its execution<br />
* Develop a methodology for unpacking malware and deal with the most popular packers<br />
* Quickly extract network signature and host-based indicators to locate and defeat malicious software<br />
* Apply new found knowledge of Windows Internals for malware analysis<br />
* Set up a safe virtual environment to analyze malware in a lab environment<br />
<br />
=Course Contents=<br />
<br />
== Day 1 ==<br />
<br />
* Malware Analysis overview<br />
* Setting up a safe environment<br />
* Basic static and dynamic techniques<br />
* Quickly obtaining signatures and indicators <br />
* A crash course in x86 Disassembly<br />
<br />
== Day 2 ==<br />
* Using IDA Pro for reversing malware<br />
* Analyzing malicious Windows programs<br />
* Debugging malware <br />
<br />
== Day 3 ==<br />
* Covert Malware Launching<br />
* Packers and Unpacking<br />
* Additional Special Topic as decided by the class<br />
<br />
=Prerequisites=<br />
* Eagerness to learn by getting hands-on<br />
* Knowledge of operating systems and computer architectures<br />
* Basic computer programming skills with any language<br />
* Windows Internals knowledge is helpful but not required<br />
<br />
== Software and hardware requirements ==<br />
VMware Workstation or Fusion installed. VMware Player is acceptable for this class, but generally not recommended.<br />
Roughly 30GB of free hard drive space for tools and the VMware image.<br />
<br />
=Trainer Biography=<br />
[[File:Andrew.Honig.jpg|thumb|125px]]<br />
Andrew Honig is a software security engineer for Google and a tech lead on the cloud security team where he works on virtualization and kernel security. He spent eight years with the National Security Agency where he taught courses on software analysis, reverse engineering, and Windows system programming at the National Cryptologic School. He discovered several vulnerabilities in virtualization software including VM escapes in VMware and KVM. He's the co-author of "Practical Malware Analysis" and developer of the FakeNet malware analysis tool.<br />
<br />
Links: <br />
* [https://www.youtube.com/watch?v=L7ScFlkJEO8 KVM Security Improvements by Andrew Honig] <br />
* [http://www.amazon.com/Andrew-Honig/e/B006J3I99Q Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software at Amazon]<br />
<br />
<br />
''Mon. 5 - 7 October 2015 (09:00 - 17:00)''<br />
<br />
[[File:Register.jpg||link=https://registration.brucon.org/training-registration/]]<br />
<br />
[[Training|Back to Training Overview]]</div>Tom.Gilis